On Fri, 19 Mar 2010, William Pitcock wrote:
> On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote:
>> An ongoing area of work is to build better closed,
>> trusted communities without leaks.
>> Have you ever considered that public transparency might not be a bad
> thing? This seems to be the plight of many security people, that they
> have to be 100% secretive in everything they do, which is total
> bullshit.
That's fine, in theory, but in practice it doesn't work.
Part of the issue is that information that could be considered sensitive
generally has to have a level of trust for both the sender(s) and
receiver(s), and that level of trust is generally not possible in an open
forum. By "level of trust" I mean that if I have sensitive intel about an
ongoing incident (attack, pwnd box, etc) I need to have some assurance
that the information gets to people who can and will act on it, and keep
that information confidential. nsp-sec has worked to build that level of
trust (in general, work pretty good success) through the vetting process
that every potential participant goes through.
Is it a perfect system? No, but it does serve a useful and important
purpose.
Many security people have to keep things quiet for the same reasons, in
addition to (not an all-inclusive list):
1. They might be under NDA or be employed at a company that has a
policy against any sort of "unapproved disclosures"
2. The sources of various bits of intel is confidential and releasing
unfiltered information could compromise that source.
3. Releasing unfiltered information could compromised intel gathering
methods, potentially rendering them useless for further action.
"The likelihood that a secret will be kept goes down by the square of the
number of people who know it" -- source unknown
"The likelihood that a meeting will be productive goes down by the square
of the number of people who attend" -- me
jms